Thursday, June 12, 2014
It’s 10 p.m.–do you know where your data is?
by Larry Geller
I asked in an earlier article if anyone knew if there were laws in Hawaii that apply to an organization when its data is breached—that require it to notify those affected, for example. Well, there’s nothing like doing the research myself, so I called several people today. With thanks to those who helped, and who each emphasized that the problem is a growing one, I do have pointers to the relevant laws. See towards the end of this article.
But first, there’s another data breach story in the paper today: 36 boxes of data from a car rental company (which is not identified, and perhaps the name is not available to the paper). The thief was caught in an apparent sting operation—that’s what the story is about—and as usual, there’s no discussion of why 36 boxes of data were available for stealing.
Since the case was filed in federal court, it was easy to look up the documents. In particular, I was interested in learning which rental car company keeps its data in 36 boxes so poorly guarded that someone could make off with them. 36 boxes don’t fit onto the back seat of a car, nor can they be easily snuck out if there were CCTV cameras or other typical security measures.
But to my chagrin, the indictment, which might have had that information, is sealed. So I placed a call to the US attorney, but the call has not yet been returned. I’ll try again tomorrow. Perhaps it is routine to seal the indictment, but I’d like to know more about it, and also, if it is possible to get it unsealed in the public interest. I know that I would not want to rent from that company, and perhaps you feel the same way. So it’s worth trying to find out which one it is.
Why is there a dearth of stories about failure to protect data?
Star-Advertiser data was reported to have been taken from a public storage locker. I would estimate that most people know that those lockers are not completely secure. I received a letter from the place where I rent a locker offering insurance, since they would not be responsible for the contents. I am.
One day I was notified that the lock to my little storage room was found open. They sent me a postcard (!). I hadn't been into the room for awhile, so I assumed it had been burglarized. It turned out to be a false report.
Later, came that insurance letter. Any connection? Who knows…
So why would a responsible company put data in a storage locker?
I don’t expect the paper (or the car rental company or any other organization) to volunteer that it may be responsible for not protecting personal data entrusted to it. That would invite lawsuits, wouldn’t it.
Despite the Star-Advertiser statement through its reporter (!) that “a small number of advertising accounts using a credit card to pay bills may be involved,” how do we know that both advertiser data and subscriber data are not both in that locker? So far, the newspaper has not come clean.
Sloppy data protection enables ID theft. I think those whose data is being compromised might be interested to know about it.
Hawaii’s data breach laws
Over the years, our legislature has passed some darn good laws. Indeed we have data protection laws. I’ll snip from them. Now, I’m not an attorney, but after reading these sections of the Hawaii Revised Statutes, it could be worth checking with someone on whether the Star-Advertiser has an obligation to notify those affected by the data breach.
Let’s dig in. This one seems on point. Here is only the first paragraph with a link to the entire section:
§487N-2 Notice of security breach. (a) Any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.
Here’s the heart of the question of whether using someone’s name obtained from a buisiness credit card is covered by the statute. This is snipped from the definitions section in §487N-1 Definitions:
"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number;
(2) Driver's license number or Hawaii identification card number; or
(3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.
It’s that “individual’s financial account” part that leaves me uncertain.
Hawaii law even specifies how records containing personal data must be disposed of. See §487R-2 Destruction of personal information records.
[One day, walking home from downtown, I found a street garbage can overflowing with legal records containing gobs of personal information. I notified the law firm to come and retrieve them and don’t know what came of it, but perhaps they thought the records had been safely destroyed… they weren’t.]
We don’t really know what data was taken from the Star-Advertiser storage locker. I suggest that there should be an investigation. Not out of any animosity for the paper, but because Hawaii needs to clean up its act.
Businesses can protect us by practicing good stewardship of the personal data entrusted to them. Unless there is followup in each case of breach, there is not much incentive to do better, is there, since it is only the thieves who go to jail as our credit ratings are skewered.